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DETAILED ACTION 

1. Claims 1-65 has been re-examined and remains rejected due to new 
grounds of rejection necessitated by Applicant's amendment. 

2. Claims 1-65 have been rejected under 35 U.S.C. 112, 1 st paragraph. 

3. This is a Final rejection. 

Claim Rejections - 35 USC §112 

The following is a quotation of the first paragraph of 35 U.S.C. 1 12: 

The specification shall contain a written description of the invention, and of the manner and 
process of making and using it, in such full, clear, concise, and exact terms as to enable any 
person skilled in the art to which it pertains, or with which it is most nearly connected, to 
make and use the same and shall set forth the best mode contemplated by the inventor of 
carrying out his invention. 

4. Claims 1-2, and 4-65 are rejected under 35 U.S.C. 112, first paragraph, as 
failing to comply with the written description requirement. The claim(s) 
contains subject matter which was not described in the specification in such a 
way as to reasonably convey to one skilled in the relevant art that the 
inventor (s), at the time the application was filed, had possession of the claimed 
invention. 

The Examiner finds the newly amended claims 1, 42, 51, and 56 includes new 
subject matter introduced to the application that was not originally submitted. 
The specification fails to discuss "the computer security incident information 
indicating one of suspicious computer activity that occurs prior to a computer 
security threat and an actual computer security threat". All other claims are 
also rejected due to their dependencies. 
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Claim Rejections - 35 USC §102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form 
the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 
122(b), by another filed in the United States before the invention by the applicant for patent 
or (2) a patent granted on an application for patent by another filed in the United States 
before the invention by the applicant for patent, except that an international application 
filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application 
designated the United States and was published under Article 21(2) of such treaty in the 
English language. 

5. Claims 1-41 are rejected under 35 U.S.C. 102(e) as being anticipated 
by Reps, et al. (US 6,070,190). 
As per claim 1: 

Reps, et al. disclose a method for automatically creating a record for one 
or more security incidents and reactions thereto, comprising the steps of: 

recording computer security incident information with at least one of a 
date and time stamp [see col.14, lines 1-21], the computer security incident 
information indicating one of suspicious computer activity that occurs prior to 
a computer security threat and an actual computer security threat; [see col.14, 
lines 55-57] 

providing data to enable display of a procedure comprising one or more 
steps for one of investigating and responding to the computer security incident 
information; [see col. 11, lines 4-34] 
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receiving a selection of one or more steps of a procedure; executing the 
selected one or more steps of the procedure; [see col.15, lines 11-17] 

in response to executing the one or more steps of the selected procedure, 
recording executed procedure information and results of the executed 
procedure with at least one of a date and time stamp; and [see col. 14, lines 
16-18] 

outputting a record comprising the computer security incident 
information, executed procedure information [col. 25, lines 15-55], results of 
one or more steps of the executed procedure [coL15, line 50-67], an identity of a 
user who selected the procedure [see col. 11, lines 63-65], and at least one of a 
corresponding date stamp and time stamp, [see col. 14, lines 16-18] 
As per claim 2: see col. 9, lines 58-67; discussing an unmodifiable 
permanent database. 

As per claim 4: see col. 16, lines 33-37; discusses extracting the information 
from the results of an executed procedure. 

As per claim 5: see col. 16, lines 38-57; discusses describing a computer 
security incident with said extraction information. 

As per claim 6: see col. 16, lines 57-65 and col. 18, lines 28-30; discussing 
displaying information for a particular computer security incident to more than 
one user. 
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As per claim 7: see col. 16, lines 19-32 and col. 20, lines 25-36; discusses 
prepopulating fields of a record of a first program module from a second 
program module. 
As per claim 8: 

Reps discusses receiving security incident information from a first program 
module; processing the security incident information with a second program 
module; and forwarding the processed computer security incident information 
from the second program module to a third program module. [col. 24, 

lines 32-38 and col. 25, lines 15-55] 

As per claim 9: see col. 13, lines 30-40; discusses receiving a selection of a 
procedure comprises automatically selecting a procedure with a program 
module. 

As per claim 10: see col. 16, lines 24-60; discusses suggesting a procedure 
with a program module based upon the type of computer security incident. 
As per claim 11: see col. 15, lines 11-15; discussing each steps are performed 
automatically by a program module. 

As per claim 12: see col. 15, lines 11-15; discussing some steps are performed 
automatically by a program module. 

As per claim 13: see col. 16, line 54-65 and col. 20, lines 27-36; discusses 
displaying reports comprising one or more computer security incidents. 
As per claim 14: see col. 14, lines 40-45; discussing the results of an executed 
procedure comprise at least one of text, numbers, images, or formatted 
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documents, [the results must be in text, numbers, images, or formatted 
documents if a user can view it on the display] 

As per claim 15: see col. 16, line 54-60; discusses predicting future actions of 
a source of a computer security incident. 

As per claim 16: see col. 16, lines 34-36; discusses identifying the source of a 
computer security incident. 

As per claim 17: see col. 14, lines 62-66; discusses sorting decoy or false 
security incidents from actual computer security incidents. 

As per claim 18: see col. 16, lines 54-60 and col. 24, lines 32-38; discusses 
linking a first procedure to a second procedure. 

As per claim 19: see col. 10, lines 45-48; discusses determining the 
authorization level of a user. 

As per claim 20: see col. 11, lines 3-10 and col. 18, lines 49-54; discusses 
providing data to enable display of a procedure further comprises the step of 
providing data for enabling display of one or more steps of a procedure. 
As per claim 21: 

Reps discusses providing data to enable display of a response procedure [see 
col. 11, lines 3-10]; executing the response procedure [col. 14, lines 40-43]; and 
in response to executing the response procedure, recording executed response 
procedure information and results of the executed response procedure with at 
least one of a date and time stamp, [col. 14, lines 44-52 and coL 25, lines 15- 
55] 
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As per claim 22: 

Reps discuss providing data to enable display of an investigation procedure; 
executing the response procedure; and [coL19, lines 27-39 and col.21, lines 27- 
56] in response to executing an investigation procedure [col. 19, lines 40-61], 
recording executed response procedure information and results of the executed 
response procedure with at least one of a date and time stamp, [col. 14, lines 3- 
21] 

As per claim 23: see col. 11, lines 3-10; discusses .providing data to enable 
display of a procedure further comprises the step of providing data to enable 
display of one or more steps of the response procedure. 

As per claim 24: see coL14, lines 40-43; discusses providing data to enable 
display of results of the executed procedure. 

As per claim 25: see col. 19, lines 54-61; discusses providing data to enable 
display of results of the executed procedure. 

As per claim 26: see col. 20, lines 25-31; discusses identifying an appropriate 
computer to execute a step in the investigation procedure; and identifying an 
appropriate computer to execute a step in the response procedure. 
As per claim 27: 

Reps discusses accessing a table comprising computer locations and step 
information [col. 5, lines 46-48 and col.ll, lines 48-52]; comparing a step to be 
executed with computer locations listed in the table; determining if a match 
exists between the step to be executed and the computer locations [col. 14, lines 
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62-66 and col. 25, lines 31-38]; and if one or more matches exist, displaying the 
matching information or automatically selecting appropriate location, [coL23, 
lines 27-48 and col. 25, lines 39-42] 

As per claim 28: see col. 11, lines 50-52 and col. 25, lines 31-37; discussing 

the table further comprises Internet address ranges, the method further 

comprising the step of comparing an Internet address of a source of a computer 

security incident with the Internet address ranges of the table. 

As per claim 29: see col. 9, lines 24-35; discusses providing data to enable 

display of an appropriate substitute computer location if a match does not 

exist. 

As per claim 30: see col. 16, lines 34-67; discusses identifying an appropriate 
computer to execute a step in either an investigation or a response procedure, 
wherein the computer is strategically located relative to a source of a security 
incident. 

As per claim 31: see col. 13, lines 30-40; discusses executing one or more 
program modules in response to a selection of a procedure. 
As per claim 32: see col.9, lines 24-35 and col. 17, lines 45-67; discussing one 
or more program modules comprises one or more software application 
programs that can operate as a stand alone programs. 

As per claim 33: see col. 15, lines 7-10 and col. 17, lines 45-67; discussing one 
or more program modules comprises an off the shelf software application 
programs. 
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As per claim 34: see col. 14, lines 62-66; discussing the security incident 
information comprises predefined attributes. 
As per claim 35: 

Rep discussing the predefined attributes [col. 25, lines 15-55] comprise any one 
of a computer incident severity level, a computer incident category, a computer 
incident scope value, a computer incident status value, an attacker internet 
protocol (IP) address value, an attacker ISP name, an attacker country, an 
external attacker status value, an incident type value, a vulnerabilities level, an 
entry point value, an attack profile value, a target networks value, a target 
firewalls value, a target hosts value, a target services value, a target accounts 
value, and a damage type value. [col. 11, lines 15-26 and col. 12, lines 1-3] 
As per claim 36: see col. 11, lines 15-26; discussing the security incident 
information comprises attributes that are at least one of variable and 
computer-generated . 

As per claim 37: see col. 11, lines 15-26; discusses whether a computer 
security incident comprises an actual breach in security based upon values of 
its attributes. 

As per claim 38: see col. 11, lines 28-34; discusses receiving a selection for a 
step of a procedure; and generating a pre-execution warning prior to the 
selection of a step. 
As per claim 39: 
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Rep discusses receiving a selection for a step of a procedure, executing the 
selected step [see col. 15, lines 11-17], and suggesting an appropriate 
subsequent step in the procedure, [col. 15, lines 20-41] 

As per claim 40: see col. 13, lines 30-40 and col. 15, lines 11-15; discussing 
each step is performed automatically in response to a detected computer 
security incident. 
As per claim 41: 

Reps discusses providing data to enable display of a plurality of computer tools 
in a non-procedural manner; receiving a selected for a computer tool [col.9, 
lines 24-35 and lines 55-57]; and executing the selected computer tool. [col. 15, 
lines 7-15] 
As per claim 42: 

Reps, et al. disclose a method for organizing and recording reactions to 
one or more security incidents, comprising the steps of: 

providing data to enable display of one or more computer security 
investigation procedures for investigating [see col. 11, lines 4-34] one of 
suspicious computer activity that occurs prior to a computer security threat 
and an actual computer security threat; [see col. 14, lines 55-57] 

providing data to enable display of one or more security response 
procedures comprising one or more steps for one of investigating and 
responding to the computer security incident information; [see col. 19, lines 4- 
43-62] 



Application/ Control Number: 09/685,285 Page 11 

Art Unit: 2135 

in response to a selection of a computer security investigation procedure, 
providing data to enable display of one or more corresponding investigation 
steps; [col. 19, lines 40-61], 

in response to a selection of a computer security response procedure, 
providing data to enable display of one or more corresponding response steps; 
and [col. 14, lines 44-52] 

generating a permanent record comprising security incident information, 
executed investigation step and result information [col. 25, lines 15-55], 
executed response step and result information, and corresponding date and 
time stamps. [see col. 14, lines 1-21] 

As per claim 43: see col. 14, lines 3-18 and col. 19, lines 41-54; discussing 
recording executed investigation step information and results of the executed 
investigation step with at least one of a date and time stamp in response to a 
selection of a step of a response procedure. 

As per claim 44: see coL14, lines 3-43; discussing recording executed 
response step information and results of the executed response step with at 
least one of a date and time stamp in response to a selection of a step of a 
response procedure. 
As per claim 45: 

Reps discuss providing data to enable display of a plurality of procedures; 

in response to receiving a selection of a procedure, displaying a plurality of 

steps [coL14, lines 3-43]; obtaining modification information for the selected 
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procedure; and storing the modification information. [col. 20, lines 27-25-45 
and col.25, lines 31-53] 

As per claim 46: see col. 25, lines 31-53; discusses adding or deleting a step in 

a procedure. 

As per claim 47: 

Reps discusses providing data to enable display of a plurality of steps of a 
procedure [see col.ll, lines 1-10 and lines 42-47]; in response to receiving a 
selection of a step, providing data to enable display of detailed information 
fields related to the selected step [see col. 19, lines 27-39]; obtaining 
modification information for the selected step; and storing the modification 
information. [coL20, lines 27-25-45 and col.25, lines 31-53] 

As per claim 48: see col.20, lines 27-25-45 and col.25, lines 31-53; discusses 
adding, deleting or modifying a step in a procedure. 
As per claim 49: 

Reps discusses obtaining computer security incident search information and 
providing data to enable display of a plurality of one or more computer security 
incidents matching the computer security incident search information, [col. 16, 
lines 34-65] 
As per claim 50: 

Reps discuss tracking multiple computer security incidents and storing 
information for each computer security in accordance with at least one of date 
and time stamp, [col. 14, lines 3-43] 
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As per claim 51: 

Reps discloses a method for selecting a computer that is strategically 
located relative to a source of a security incident, comprising the steps of: 

accessing a table comprising computer, Internet address ranges, and 
computer security step information [col. 5, lines 46-48 and col. 11, lines 48-52] 
for one of investigating [see col. 11, lines 4-34] one of suspicious computer 
activity that occurs prior to a computer security threat and an actual computer 
security threat; [see col. 14, lines 55-57 and col. 25, lines 15-55] 

comparing a computer security step to be executed and a target Internet 
address with computer locations and Internet address ranges listed in the 
table; [col. 14, lines 62-66 and col. 25, lines 31-38] 

determining if a match exists between the computer security step to be 
executed and the computer locations; [col. 23, lines 27-48 and col. 25, lines 
39-42] 

determining if a match exists between an Internet address of a computer 
security incident and Internet address ranges listed in the table; and 
[col. 11, lines 50-52 and col.25, lines 31-37] 

selecting a computer to execute the computer security step based upon 
the matching steps, wherein the computer has a location and is capable of 
interacting with the Internet address of the security incident, [col. 11, lines 50- 
65 and col.25, lines 31-37] 
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As per claim 52: 

Reps discusses if one or more matches exist, providing data to enable display 
of the matching information and if a match does not exist, providing data to 
enable display of one or more appropriate substitute computer location or 
automatically selecting an appropriate location, [col. 9, lines 24-35] 
As per claim 53: see col. 16, lines 34-67; discusses a portion of a computer 
security response procedure, wherein the computer is strategically located 
relative to a source of a security incident. 

As per claim 54: see col. 19, lines 27-46; discusses a portion of a computer 
security investigation procedure, wherein the computer is strategically located 
relative to a source of a security incident. 

As per claim 55: see col. 15, lines 7-10; discussing one or more off the shelf 
security application programs. 
As per claim 56: 

Reps discloses a method for generating a permanent record or one or 
more computer security incidents and reactions thereto, comprising the steps 
of: 

receiving the computer security incident information [col. 25, lines 15-55] 
indicating one of suspicious computer activity that occurs prior to a computer 
security threat and an actual computer security threat; [see col. 14, lines 55- 
57] 
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displaying one or more tools [col.9, lines 24-35 and lines 55-57] for one of 

investigating [see col. 11, lines 4-34] one of suspicious computer activity that 
occurs prior to a computer security threat and an actual computer security 
threat; [see col. 14, lines 55-57] 

receiving a selection of a tool; [col. 15, lines 7-15 ] 

in response to a selection of a tool, forwarding data for execution of the 
tool; and [col. 13, lines 17-25] 

forwarding data for generating a permanent record comprising computer 
security incident information, executed tool information, and corresponding 
date and time stamp. [col. 14, lines 3-43] 

As per claim 57: see col. 11, lines 3-6; discusses displaying the tools as icons 
on a computer display. 

As per claim 58: see col. 12, lines 1-10 and lines 17-23; discusses displaying a 
plurality of tools that are selectable from a menu. 

As per claim 59: see col. 12, lines 17-23 and col. 17, lines 45-67; discusses 
installing the one or more program modules within a single program on a 
server. 

As per claim 60: see col.9, lines 25-28 and col. 12, lines 17-23; discusses 
installing the one or more program modules on a single server. 
As per claim 61: see col. 17, lines 45-67; discusses installing the one or more 
program modules on a computer that is a target of a computer incident. 
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As per claim 62: see col. 9, lines 52-57; discusses installing the one or more 
program modules on both a computer that is a target of a computer incident 
and a server. 

As per claim 63: see col. 14, lines 62-66 and col. 17, lines 18-28; discussing 
comparing an Internet address of a computer subject to an attack or a security 
breach with the Internet address ranges of the table. 

As per claim 64: see col. 14, lines 62-66 and col.25, lines 31-50; discussing 
comparing an Internet address of a witness to a computer security incident 
with the Internet address ranges of the table. 

As per claim 65: see col. 17, lines 18-28 and col.25, lines 31-50; discussing 
comparing an Internet address of an accomplice to a computer security 
incident with the Internet address ranges of the table. 

Claim Rejections - 35 USC §103 

The following is a quotation of 35 (7.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or 
described as set forth in section 102 of this title, if the differences between the subject 
matter sought to be patented and the prior art are such that the subject matter as a whole 
would have been obvious at the time the invention was made to a person having ordinary 
skill in the art to which said subject matter pertains. Patentability shall not be negatived by 
the manner in which the invention was made. 

6. Claim 3 are rejected under 35 U.S.C. 103(a) as being obvious over Reps, et 
al. (US 6,477,585) and further in view of Todd Sundsted. 
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As per claim 3: 

Reps disclose recording security incident information with at least one of 
a date and time stamp [see col. 10, lines 28-56 and col. 14, lines 10-40] and 
providing data to enable display of a procedure [see col.ll, lines 1-10 and lines 

42-47], The time signature is a form of computer security incident information 
that tells the time and date file or a message, which is a time /date stamp of a 
file/message (i.e. when created, the last modification, or when received or sent). 
However, Reps fails to include the teachings of a digital signature. 

Sundsted teaches a digital signature that is generated from a 
file/ message and comes with a secret key. Sundsted teaches the digital 
signature cannot be forged that would not change the file/ message without 
invalidating the signature, which means the integrity of the message is kept by 
having a digital signature. 

Therefore, it would have been obvious to one of ordinary skill in the art at 
the time of the invention was made to include a digital signature of Sundsted 
with the teachings of Reps would be to maintain the authenticity and integrity 
of the file/message. 
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Response to Arguments 
7. Applicant's arguments filed August 8, 2004 have been fully 
considered but they are not persuasive. 

The claim language that states "computer security incident" is broad 
where it can be a number of things that constitute as security incident. A 
computer security incident may be any problematic situation occurring in the 
computer or the network. Any malicious attacks is considered a computer 
security incident where it involves sending a virus, flooding the network or any 
detection of suspicious (unauthorized) use of any thing within the computer 
system and could also be a person using software or physical means to cause a 
disruption or denial of service within a network. 

Reps discloses a system monitoring the use of application programs 
employed to assess any desired performance characteristics of any application 
running in a distributed computing environment from a requesting remote 
resource (col. 8, lines 49-56). So when Reps assesses the system, it means the 
invention involves detecting, determining, and solving susceptible or known 
incidents that has to deal with security issues (col. 25, lines 15-55). Reps 
teaches the determination (investigation) and remediation (response) steps after 
detecting violations (col. 11, lines 28-34) by a monitoring program (AMA) which 
records and analyzes service requests whether the transaction is successful or 
deemed unauthorized access to a particular server (col. 10, lines 39-47). 
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Hence, constitute computer security incidents and the information pertaining 
to the computer security incidents is data that helps determine the situation of 
the system or network. The Examiner gives any terms their broadest 
reasonable interpretation. 

As for the argument of the digital signature, it is known in the prior art. 
However, for purposes of applying art the Examiner combined Reps' invention 
where it teaches a system of recording, investigating, and responsive to 
computer security incidents and its information with Sunsted's teaching of the 
digital signature. The digital signature is utilize as a security feature to ensure 
authenticity and is recognizable secure information from the suspicious 
computer security incident information. Sunsted is used as a secondary 
reference that teaches what Rep fails to disclose. If Sunsted has the teachings 
of the computer security incidents and its information with the digital 
signature, then there would not be a need for a 103 rejection let alone to have 
Rep as a primary reference. Hence, the Examiner has provided a proper 103 
rejection. 
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Conclusion 

8. Applicant's amendment necessitated the new ground(s) of rejection 
presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. 
See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as 
set forth in 37 CFR 1 . 1 36(a) . 

- A shortened statutory period for reply to this final action is set to expire 
THREE MONTHS from the mailing date of this action. In the event a first reply 
is filed within TWO MONTHS of the mailing date of this final action and the 
advisory action is not mailed until after the end of the THREE-MONTH 
shortened statutory period, then the shortened statutory period will expire on 
the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated from the mailing date of the advisory action. In 
no event, however, will the statutory period for reply expire later than SIX 
MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to LEYNNA T. HA whose telephone number is (571) 272- 
3851. The examiner can normally be reached on Monday - Thursday (7:00 - 5:00PM). 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on (571) 272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR 
only. For more information about the PAIR system, see http://pair-direct.uspto.gov. 
Should you have questions on access to the Private PAIR system, contact the 
Electronic Business Center (EBC) at 866-217-9197 (toll-free). 



LHa 
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